1 /*        $NetBSD: get_in_tkt.c,v 1.3 2019/12/15 22:50:50 christos Exp $        */
2 
3 /*
4  * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #define KRB5_DEPRECATED_FUNCTION(x)
37 
38 #include "krb5_locl.h"
39 
40 #ifndef HEIMDAL_SMALLER
41 
42 static krb5_error_code
make_pa_enc_timestamp(krb5_context context,PA_DATA * pa,krb5_enctype etype,krb5_keyblock * key)43 make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
44                           krb5_enctype etype, krb5_keyblock *key)
45 {
46     PA_ENC_TS_ENC p;
47     unsigned char *buf;
48     size_t buf_size;
49     size_t len = 0;
50     EncryptedData encdata;
51     krb5_error_code ret;
52     int32_t usec;
53     int usec2;
54     krb5_crypto crypto;
55 
56     krb5_us_timeofday (context, &p.patimestamp, &usec);
57     usec2         = usec;
58     p.pausec      = &usec2;
59 
60     ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
61     if (ret)
62           return ret;
63     if(buf_size != len)
64           krb5_abortx(context, "internal error in ASN.1 encoder");
65     ret = krb5_crypto_init(context, key, 0, &crypto);
66     if (ret) {
67           free(buf);
68           return ret;
69     }
70     ret = krb5_encrypt_EncryptedData(context,
71                                              crypto,
72                                              KRB5_KU_PA_ENC_TIMESTAMP,
73                                              buf,
74                                              len,
75                                              0,
76                                              &encdata);
77     free(buf);
78     krb5_crypto_destroy(context, crypto);
79     if (ret)
80           return ret;
81 
82     ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
83     free_EncryptedData(&encdata);
84     if (ret)
85           return ret;
86     if(buf_size != len)
87           krb5_abortx(context, "internal error in ASN.1 encoder");
88     pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
89     pa->padata_value.length = len;
90     pa->padata_value.data = buf;
91     return 0;
92 }
93 
94 static krb5_error_code
add_padata(krb5_context context,METHOD_DATA * md,krb5_principal client,krb5_key_proc key_proc,krb5_const_pointer keyseed,krb5_enctype * enctypes,unsigned netypes,krb5_salt * salt)95 add_padata(krb5_context context,
96              METHOD_DATA *md,
97              krb5_principal client,
98              krb5_key_proc key_proc,
99              krb5_const_pointer keyseed,
100              krb5_enctype *enctypes,
101              unsigned netypes,
102              krb5_salt *salt)
103 {
104     krb5_error_code ret;
105     PA_DATA *pa2;
106     krb5_salt salt2;
107     krb5_enctype *ep;
108     size_t i;
109 
110     if(salt == NULL) {
111           /* default to standard salt */
112           ret = krb5_get_pw_salt (context, client, &salt2);
113           if (ret)
114               return ret;
115           salt = &salt2;
116     }
117     if (!enctypes) {
118           enctypes = context->etypes;
119           netypes = 0;
120           for (ep = enctypes; *ep != (krb5_enctype)ETYPE_NULL; ep++)
121               netypes++;
122     }
123     pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
124     if (pa2 == NULL)
125           return krb5_enomem(context);
126     md->val = pa2;
127 
128     for (i = 0; i < netypes; ++i) {
129           krb5_keyblock *key;
130 
131           ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key);
132           if (ret)
133               continue;
134           ret = make_pa_enc_timestamp (context, &md->val[md->len],
135                                              enctypes[i], key);
136           krb5_free_keyblock (context, key);
137           if (ret)
138               return ret;
139           ++md->len;
140     }
141     if(salt == &salt2)
142           krb5_free_salt(context, salt2);
143     return 0;
144 }
145 
146 static krb5_error_code
init_as_req(krb5_context context,KDCOptions opts,krb5_creds * creds,const krb5_addresses * addrs,const krb5_enctype * etypes,const krb5_preauthtype * ptypes,const krb5_preauthdata * preauth,krb5_key_proc key_proc,krb5_const_pointer keyseed,unsigned nonce,AS_REQ * a)147 init_as_req (krb5_context context,
148                KDCOptions opts,
149                krb5_creds *creds,
150                const krb5_addresses *addrs,
151                const krb5_enctype *etypes,
152                const krb5_preauthtype *ptypes,
153                const krb5_preauthdata *preauth,
154                krb5_key_proc key_proc,
155                krb5_const_pointer keyseed,
156                unsigned nonce,
157                AS_REQ *a)
158 {
159     krb5_error_code ret;
160     krb5_salt salt;
161 
162     memset(a, 0, sizeof(*a));
163 
164     a->pvno = 5;
165     a->msg_type = krb_as_req;
166     a->req_body.kdc_options = opts;
167     a->req_body.cname = malloc(sizeof(*a->req_body.cname));
168     if (a->req_body.cname == NULL) {
169           ret = krb5_enomem(context);
170           goto fail;
171     }
172     a->req_body.sname = malloc(sizeof(*a->req_body.sname));
173     if (a->req_body.sname == NULL) {
174           ret = krb5_enomem(context);
175           goto fail;
176     }
177     ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
178     if (ret)
179           goto fail;
180     ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
181     if (ret)
182           goto fail;
183     ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
184     if (ret)
185           goto fail;
186 
187     if(creds->times.starttime) {
188           a->req_body.from = malloc(sizeof(*a->req_body.from));
189           if (a->req_body.from == NULL) {
190               ret = krb5_enomem(context);
191               goto fail;
192           }
193           *a->req_body.from = creds->times.starttime;
194     }
195     if(creds->times.endtime){
196           ALLOC(a->req_body.till, 1);
197           *a->req_body.till = creds->times.endtime;
198     }
199     if(creds->times.renew_till){
200           a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
201           if (a->req_body.rtime == NULL) {
202               ret = krb5_enomem(context);
203               goto fail;
204           }
205           *a->req_body.rtime = creds->times.renew_till;
206     }
207     a->req_body.nonce = nonce;
208     ret = _krb5_init_etype(context,
209                                  KRB5_PDU_AS_REQUEST,
210                                  &a->req_body.etype.len,
211                                  &a->req_body.etype.val,
212                                  etypes);
213     if (ret)
214           goto fail;
215 
216     /*
217      * This means no addresses
218      */
219 
220     if (addrs && addrs->len == 0) {
221           a->req_body.addresses = NULL;
222     } else {
223           a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
224           if (a->req_body.addresses == NULL) {
225               ret = krb5_enomem(context);
226               goto fail;
227           }
228 
229           if (addrs)
230               ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
231           else {
232               ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
233               if(ret == 0 && a->req_body.addresses->len == 0) {
234                     free(a->req_body.addresses);
235                     a->req_body.addresses = NULL;
236               }
237           }
238           if (ret)
239               return ret;
240     }
241 
242     a->req_body.enc_authorization_data = NULL;
243     a->req_body.additional_tickets = NULL;
244 
245     if(preauth != NULL) {
246           size_t i;
247           ALLOC(a->padata, 1);
248           if(a->padata == NULL) {
249               ret = krb5_enomem(context);
250               goto fail;
251           }
252           a->padata->val = NULL;
253           a->padata->len = 0;
254           for(i = 0; i < preauth->len; i++) {
255               if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
256                     size_t j;
257 
258                     for(j = 0; j < preauth->val[i].info.len; j++) {
259                         krb5_salt *sp = &salt;
260                         if(preauth->val[i].info.val[j].salttype)
261                               salt.salttype = *preauth->val[i].info.val[j].salttype;
262                         else
263                               salt.salttype = KRB5_PW_SALT;
264                         if(preauth->val[i].info.val[j].salt)
265                               salt.saltvalue = *preauth->val[i].info.val[j].salt;
266                         else
267                               if(salt.salttype == KRB5_PW_SALT)
268                                   sp = NULL;
269                               else
270                                   krb5_data_zero(&salt.saltvalue);
271                         ret = add_padata(context, a->padata, creds->client,
272                                              key_proc, keyseed,
273                                              &preauth->val[i].info.val[j].etype, 1,
274                                              sp);
275                         if (ret == 0)
276                               break;
277                     }
278               }
279           }
280     } else
281     /* not sure this is the way to use `ptypes' */
282     if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
283           a->padata = NULL;
284     else if (*ptypes ==  KRB5_PADATA_ENC_TIMESTAMP) {
285           ALLOC(a->padata, 1);
286           if (a->padata == NULL) {
287               ret = krb5_enomem(context);
288               goto fail;
289           }
290           a->padata->len = 0;
291           a->padata->val = NULL;
292 
293           /* make a v5 salted pa-data */
294           add_padata(context, a->padata, creds->client,
295                        key_proc, keyseed, a->req_body.etype.val,
296                        a->req_body.etype.len, NULL);
297 
298           /* make a v4 salted pa-data */
299           salt.salttype = KRB5_PW_SALT;
300           krb5_data_zero(&salt.saltvalue);
301           add_padata(context, a->padata, creds->client,
302                        key_proc, keyseed, a->req_body.etype.val,
303                        a->req_body.etype.len, &salt);
304     } else {
305           ret = KRB5_PREAUTH_BAD_TYPE;
306           krb5_set_error_message (context, ret,
307                                         N_("pre-auth type %d not supported", ""),
308                                      *ptypes);
309           goto fail;
310     }
311     return 0;
312 fail:
313     free_AS_REQ(a);
314     return ret;
315 }
316 
317 static int
set_ptypes(krb5_context context,KRB_ERROR * error,const krb5_preauthtype ** ptypes,krb5_preauthdata ** preauth)318 set_ptypes(krb5_context context,
319              KRB_ERROR *error,
320              const krb5_preauthtype **ptypes,
321              krb5_preauthdata **preauth)
322 {
323     static krb5_preauthdata preauth2;
324     static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
325 
326     if(error->e_data) {
327           METHOD_DATA md;
328           size_t i;
329           decode_METHOD_DATA(error->e_data->data,
330                                  error->e_data->length,
331                                  &md,
332                                  NULL);
333           for(i = 0; i < md.len; i++){
334               switch(md.val[i].padata_type){
335               case KRB5_PADATA_ENC_TIMESTAMP:
336                     *ptypes = ptypes2;
337                     break;
338               case KRB5_PADATA_ETYPE_INFO:
339                     *preauth = &preauth2;
340                     ALLOC_SEQ(*preauth, 1);
341                     (*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
342                     decode_ETYPE_INFO(md.val[i].padata_value.data,
343                                           md.val[i].padata_value.length,
344                                           &(*preauth)->val[0].info,
345                                           NULL);
346                     break;
347               default:
348                     break;
349               }
350           }
351           free_METHOD_DATA(&md);
352     } else {
353           *ptypes = ptypes2;
354     }
355     return(1);
356 }
357 
358 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_in_cred(krb5_context context,krb5_flags options,const krb5_addresses * addrs,const krb5_enctype * etypes,const krb5_preauthtype * ptypes,const krb5_preauthdata * preauth,krb5_key_proc key_proc,krb5_const_pointer keyseed,krb5_decrypt_proc decrypt_proc,krb5_const_pointer decryptarg,krb5_creds * creds,krb5_kdc_rep * ret_as_reply)359 krb5_get_in_cred(krb5_context context,
360                      krb5_flags options,
361                      const krb5_addresses *addrs,
362                      const krb5_enctype *etypes,
363                      const krb5_preauthtype *ptypes,
364                      const krb5_preauthdata *preauth,
365                      krb5_key_proc key_proc,
366                      krb5_const_pointer keyseed,
367                      krb5_decrypt_proc decrypt_proc,
368                      krb5_const_pointer decryptarg,
369                      krb5_creds *creds,
370                      krb5_kdc_rep *ret_as_reply)
371     KRB5_DEPRECATED_FUNCTION("Use X instead")
372 {
373     krb5_error_code ret;
374     AS_REQ a;
375     krb5_kdc_rep rep;
376     krb5_data req, resp;
377     size_t len = 0;
378     krb5_salt salt;
379     krb5_keyblock *key;
380     size_t size;
381     KDCOptions opts;
382     PA_DATA *pa;
383     krb5_enctype etype;
384     krb5_preauthdata *my_preauth = NULL;
385     unsigned nonce;
386     int done;
387 
388     opts = int2KDCOptions(options);
389 
390     krb5_generate_random_block (&nonce, sizeof(nonce));
391     nonce &= 0xffffffff;
392 
393     do {
394           done = 1;
395           ret = init_as_req (context,
396                                  opts,
397                                  creds,
398                                  addrs,
399                                  etypes,
400                                  ptypes,
401                                  preauth,
402                                  key_proc,
403                                  keyseed,
404                                  nonce,
405                                  &a);
406           if (my_preauth) {
407               free_ETYPE_INFO(&my_preauth->val[0].info);
408               free (my_preauth->val);
409               my_preauth = NULL;
410           }
411           if (ret)
412               return ret;
413 
414           ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, &a, &len, ret);
415           free_AS_REQ(&a);
416           if (ret)
417               return ret;
418           if(len != req.length)
419               krb5_abortx(context, "internal error in ASN.1 encoder");
420 
421           ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
422           krb5_data_free(&req);
423           if (ret)
424               return ret;
425 
426           memset (&rep, 0, sizeof(rep));
427           ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
428           if(ret) {
429               /* let's try to parse it as a KRB-ERROR */
430               KRB_ERROR error;
431               int ret2;
432 
433               ret2 = krb5_rd_error(context, &resp, &error);
434               if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
435                     ret = KRB5KRB_AP_ERR_V4_REPLY;
436               krb5_data_free(&resp);
437               if (ret2 == 0) {
438                     ret = krb5_error_from_rd_error(context, &error, creds);
439                     /* if no preauth was set and KDC requires it, give it
440                    one more try */
441                     if (!ptypes && !preauth
442                         && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
443 #if 0
444                               || ret == KRB5KDC_ERR_BADOPTION
445 #endif
446                         && set_ptypes(context, &error, &ptypes, &my_preauth)) {
447                         done = 0;
448                         preauth = my_preauth;
449                         krb5_free_error_contents(context, &error);
450                         krb5_clear_error_message(context);
451                         continue;
452                     }
453                     if(ret_as_reply)
454                         ret_as_reply->error = error;
455                     else
456                         free_KRB_ERROR (&error);
457                     return ret;
458               }
459               return ret;
460           }
461           krb5_data_free(&resp);
462     } while(!done);
463 
464     pa = NULL;
465     etype = rep.kdc_rep.enc_part.etype;
466     if(rep.kdc_rep.padata){
467           int i = 0;
468           pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len,
469                                     KRB5_PADATA_PW_SALT, &i);
470           if(pa == NULL) {
471               i = 0;
472               pa = krb5_find_padata(rep.kdc_rep.padata->val,
473                                           rep.kdc_rep.padata->len,
474                                           KRB5_PADATA_AFS3_SALT, &i);
475           }
476     }
477     if(pa) {
478           salt.salttype = (krb5_salttype)pa->padata_type;
479           salt.saltvalue = pa->padata_value;
480 
481           ret = (*key_proc)(context, etype, salt, keyseed, &key);
482     } else {
483           /* make a v5 salted pa-data */
484           ret = krb5_get_pw_salt (context, creds->client, &salt);
485 
486           if (ret)
487               goto out;
488           ret = (*key_proc)(context, etype, salt, keyseed, &key);
489           krb5_free_salt(context, salt);
490     }
491     if (ret)
492           goto out;
493 
494     {
495           unsigned flags = EXTRACT_TICKET_TIMESYNC;
496           if (opts.request_anonymous)
497               flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH | EXTRACT_TICKET_MATCH_ANON;
498 
499           ret = _krb5_extract_ticket(context,
500                                            &rep,
501                                            creds,
502                                            key,
503                                            keyseed,
504                                            KRB5_KU_AS_REP_ENC_PART,
505                                            NULL,
506                                            nonce,
507                                            flags,
508                                            NULL,
509                                            decrypt_proc,
510                                            decryptarg);
511     }
512     memset (key->keyvalue.data, 0, key->keyvalue.length);
513     krb5_free_keyblock_contents (context, key);
514     free (key);
515 
516 out:
517     if (ret == 0 && ret_as_reply)
518           *ret_as_reply = rep;
519     else
520           krb5_free_kdc_rep (context, &rep);
521     return ret;
522 }
523 
524 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_in_tkt(krb5_context context,krb5_flags options,const krb5_addresses * addrs,const krb5_enctype * etypes,const krb5_preauthtype * ptypes,krb5_key_proc key_proc,krb5_const_pointer keyseed,krb5_decrypt_proc decrypt_proc,krb5_const_pointer decryptarg,krb5_creds * creds,krb5_ccache ccache,krb5_kdc_rep * ret_as_reply)525 krb5_get_in_tkt(krb5_context context,
526                     krb5_flags options,
527                     const krb5_addresses *addrs,
528                     const krb5_enctype *etypes,
529                     const krb5_preauthtype *ptypes,
530                     krb5_key_proc key_proc,
531                     krb5_const_pointer keyseed,
532                     krb5_decrypt_proc decrypt_proc,
533                     krb5_const_pointer decryptarg,
534                     krb5_creds *creds,
535                     krb5_ccache ccache,
536                     krb5_kdc_rep *ret_as_reply)
537     KRB5_DEPRECATED_FUNCTION("Use X instead")
538 {
539     krb5_error_code ret;
540 
541     ret = krb5_get_in_cred (context,
542                                   options,
543                                   addrs,
544                                   etypes,
545                                   ptypes,
546                                   NULL,
547                                   key_proc,
548                                   keyseed,
549                                   decrypt_proc,
550                                   decryptarg,
551                                   creds,
552                                   ret_as_reply);
553     if(ret)
554           return ret;
555     if (ccache)
556           ret = krb5_cc_store_cred (context, ccache, creds);
557     return ret;
558 }
559 
560 #endif /* HEIMDAL_SMALLER */
561